Assetnote, a subsidiary of Searchlight Cyber, has uncovered a critical zero-day vulnerability in the Sitecore Experience Platform, a popular content management system used by enterprise customers.
The vulnerability, identified as CVE-2025-27218, allows for remote code execution without authentication in the default configuration of Sitecore version 10.4.
Unsafe Deserialization Leads to Exploit
The vulnerability stems from an unsafe deserialization issue in the MachineKeyTokenService.IsTokenValid method.
This method utilizes the BinaryFormatter class to deserialize data from the ThumbnailsAccessToken header without proper validation.
The flaw is exacerbated by the fact that the payload is decrypted after deserialization, rather than before, allowing attackers to pass malicious deserialization payloads directly to BinaryFormatter.
Researchers at Assetnote discovered that the vulnerability could be exploited by sending a specially crafted HTTP request with a malicious payload in the ThumbnailsAccessToken header.
This payload, when deserialized, can execute arbitrary code on the target system with the privileges of the application pool running Sitecore.
The exploit was successfully demonstrated using the ysoserial.net tool to generate a payload that executed the “whoami” command and wrote its output to a file in the Sitecore application directory.
According to Searchlight Cyber Report, this proof-of-concept highlights the severity of the vulnerability and its potential for abuse by malicious actors.
Implications and Mitigation
This vulnerability poses a significant risk to organizations using affected versions of Sitecore, as it allows unauthenticated attackers to gain remote code execution capabilities on vulnerable systems.
The pre-authentication nature of the exploit makes it particularly dangerous, potentially enabling large-scale attacks against exposed Sitecore instances.
Sitecore has released an advisory detailing the affected versions and recommended patches to address the vulnerability.
Organizations using Sitecore are strongly advised to review the advisory and apply the necessary updates as soon as possible to mitigate the risk of exploitation.
The discovery of this vulnerability underscores the importance of continuous security assessments, especially for widely-used enterprise software.
It also highlights the ongoing challenges associated with the use of potentially dangerous serialization methods like BinaryFormatter in .NET applications.
As the threat landscape continues to evolve, organizations must remain vigilant and prioritize the timely application of security updates to protect their digital assets from emerging vulnerabilities.
The Sitecore incident serves as a reminder that even well-established software can contain critical flaws that may be exploited by determined attackers.
